Functional
MergerWare is fully integrated M&A deal execution management used by firms to manage their Pre-deal, Due-diligence and Post-Merger Integration.
MergerWare is the brand globally and name of product. MergerWare Corporation sells this platform globally and brand name is “MergerWare”.
More information about security one can access the link https://www.mergerware.com/solution/mergerware-security-assurance-programs/
Technical
MergerWare provides a short duration trail to customers who wish to try within limited team before they deploy to larger groups within company. For the trial/POC a NDA and MSA (Master Services agreement) is required. MergerWare offers up to 5 full licenses without cost to client. However, server hosting and training cost is charged to Customers and adjusted with their final agreement cost post POC/Trial.
MergerWare is using an Agile process of product development and we release different product features as per our product roadmap and quick patches time to time. Once we install a particular version of software to our client and then we do further release of new features then customer will get the new features by default and also Customer Success manager will be informing Client in advance about the new feature and further a short training will be provided if needed.
Yes, licensed based on “Per User” basis, based on Named User.
GNU/Linux (Ubuntu 16.04 LTS)
Yes, Mongo DB – 3.6
Nginx, Node.js, pm2
Yes, Chrome Browser (Works best with Chrome), Firefox, Opera, Safari.
Yes, we can scale the system depending on number of concurrent users.
No new installation will be required. We will need additional physical infrastructure.
No this is not by default but can be done on customer request.
This is not a default feature but the product is extensible to support these if needed. We can get this integration done if customers’ needs such integration as part of Configuration Support.
Yes, an Application / System Administrator is required within M&A team to manage permission and access control within MergerWare. But this does not require any IT skills but anyone within M&A team can work as admin to control the overall platform set up and new deal set up.
Yes, this will be part of MSA (Master Service agreement) and detailed there along with SLA (Service level contract). MergerWare will do the maintenance and support post deployment to customers.
Yes, via Email and dedicated phone line, a Support portal. A detailed document outlining the support guideline and process details etc. will be provided. Post the contract Signing as per Master Service agreement a dedicated one point contact manager will be assigned who will co-ordinate all activities during whole contract period.
This is possible and can be mentioned in MSA (Master service agreement document) and discussed with MergerWare staff as your requirements. MergerWare will dedicate a resource at customer location at cost.
Hosting
Product will be installed on server. End User will access it via chrome browser or any other supported browser.
Ubuntu 16.04 LTS
We use MongoDB database. We might also need information’s of Customer provide MongoDB database infrastructure or related services.
MongoDB 3.6
Depends on number of users who will be using this product.
Depends on number of users who will be using this MergerWare.
Depends on number of users who will be using this product. Our product has a distributed architecture. It can be run on a single machine or multiple machines as needed by customers.
Security
General Questions:
Web storm, NPM, Nodejs, Meteor
SSL Labs Certified / ISO 27001.Pls read more on website for details.
MergerWare fully adheres to all Security standards and several aspects of security are monitored time to tile. However, customers are fully allowed to do all security checks at their cost if they need.
OWASP training, ISO27001 assessment and periodic training is done to all employees.
AWS SDK – This is needed for VDR functionality. Other requirements – DHTMLX, D3, Node .js, meteor and other NPM artifacts.
Yes, SSL labs, TUV is our authorized global third party vendors for doing a regular security audits and certification agency. They check of platform security as well as AWS infrastructure security and audits. A detailed report can be shared to customers on request.
Secure Development:
Server Security – Only http / https ports are allowed. OS hardening, Rate Limiter, Log watch deployed.Application Security – Multi factor authentication is the default option.
Client Security – All communication is encrypted (TLS). A+ rating by SslLabs. Content Security Policy Standard is active and implemented. This prevents Clickjacking, Cross Site Scripting (XSS), and Code injection.
Security Management:
Peer review and Automated testing by SslLabs. System Administrator preforms security tests. Security considerations are involved right from design, development, testing (Unit, Integration) till deployment.
Clickjacking, Cross site Injection and code injections are the vulnerabilities that we have tested it against. On server side, we have hardened OS.
Security risks once known from various security list are first evaluated based on its severity and impact. Upon identification, we prepare the fixes and a rollout plan. Based on severity, patch delivery time is determined and rolled out. We have SLAs in place as well to address it.
A customer account manager and security specialist gets in touch with client partner as soon as security vulnerabilities are discovered and patched. They are apprised of the situation along with the mitigation plan. Based on consent fixes are rolled out.
- Making a Patch Branch
- Applying Patches to update an installation
- Making Binaries for Patch Releases
- Reporting Problems & Fixes to Users
- Tracking version numbers
We do have Staging server for clients where patches are tested.
Authentication:
Use Username-Password and Email OTP combination to authenticate users.
Yes, uses strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_256_GCM).
Change of user Role, Session Timeout triggers re-authentication.
All client server communication happens over TLS.
Authorization:
Role based Access Control (RBAC) is implemented in software.
No. It’s done manually by the administrator
Yes. Admin Role performs all authorization functions. All Authorization roles can be customized as per client’s requirement.
The system checks each action against Role based access control settings defined on server. All checks happen on server to deny any client side hacking. If the system cannot confirm user authorization, the default action is to deny access to resource.
Session Management:
Local Storage in browser is used to store session (loginToken and loginTokenExpires).
Use of loginTokenExpires setting in application.
System uses loginToken to track sessions. It is securely generated on server and transmitted over TLS to client’s browser and stored in browser’s local storage.
Yes, it allows concurrent sessions. On client’s request, we can disable concurrent sessions.
We use secure random to generate login tokens and store them in a cryptographically hashed way on server (similar to hashed password). All network transmissions are on TLS. Use of local storage also eliminates the need of setting http Only and secure attributes which are normally needed by cookies.
Data Validation:
Data is validated on client side for basic validation checks. On server, it is revalidated for domain constraints with API.
Any data transfer associated with http is properly encoded (in particular if it’s a part of URL). For Websockets we use different mechanism to encode data.
We use Content Security Policy extensively to protect against CSS and Injection Attacks. We whitelist the sources from which JavaScript files can be loaded (script-src). A detailed description of this can be found at https://www.html5rocks.com/en/tutorials/security/content-security-policy/
For Database, we use mongo and sanitize data before we store it in Db. Mongo being a NoSql database does not use SQL as query language and hence we don’t require protection against SQL injections
We do virus checks on upload of files and none of the files uploaded on server are directly executed.
Error Handling:
Errors are logged on server. If there are validation or Domain specific errors they are reported to clients.
Validation and Domain specific errors are displayed to clients. e.g. – Name Field should not be empty (Validation error)Task Start Date must be after Project Start Date (Domain Specific error)
Errors are reported and our monitoring systems depending of the severity and priority raises appropriate alarms. If it’s a temporary error (intermittent network issues) the system recovers automatically and in case of any non-recoverable errors MergerWare Admins and Client Admins are informed.
Logging:
Both Application (Client + Server) logs and System logs.
Critical Business information are masked in logs. Server monitoring Linux system contain system health information
Standard logging formats are used. E.g. Nginx log format (Similar to apache). Pm2 logs format for Node.js server logs.
Data Protection:
User Information, Project Information are considered sensitive. We use encryption extensively to protect data (Data at rest and in transit). Use of Bcrypt for password modules.
Critical Business information are masked in logs. Server monitoring Linux system contain system health information
loginToken, loginTokenExpires, UserId are temporarily stored on client machine upon successful login. These are removed once a user logs out. If the user logs in again this we generate new values for loginToken, loginTokenExpires, UserId. We do store few cookies to help us understand user interactions.
Password hashing – Bcrypt
File Encryption – AES-256-CBC
Network Transmission – TLS 1.2, a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_256_GCM)
Yes, Data resides on encrypted disk partitions (Data at rest). All access to data is based on Roles and Permissions. Files are encrypted with AES 256-bit encryption and then stored.
The application uses both HTTPS and Secure WebSocket (wss) to pass data across application.
As the application is reactive (server pushing updates) we use websockets extensively. We follow the REST design principles as well.
Create – Http Post
Update – Http Put
Read – Http Get
Delete – Http Delete
No. The application does not have any demo or user configuration.
Yes, we use Content Security Policy’s X-Frame-Options to protect against clickjacking.
On-premise vs Cloud hosted
MergerWare recommends and advises Customers to use Cloud based deployment modals
While selecting a new M&A software for your business, one of the most important factors which you should consider is whether you’ll choose to have your software on-premise or Cloud. Cloud M&A software is now more common than ever before, but on-premise software has their fair share of benefits too.
To understand which platform would be best for your business, let’s look at the requirements list: –
Understanding your requirements
Before you set out to choose a M&A Cloud software, there are some pointers which you’d need to keep in mind: –
- Are you willing to shed out a huge sum as set up costs as all the hardware and servers for running the MergerWare software?
- Are you willing to have additional cost of R&D who would constantly work on maintaining your software?
- How confidential is the data that you will be handling and how important is security to your business?
- Is your business constantly expanding? In which case, would you require continuous upgrades and customization?
- Is your business spread across different locations or are you planning on spreading your business across different locations?
- Do you require to check different types of reports on a day to day basis?
- Are you looking to constantly track all your M&A teams on daily basis?
Let me help you figure out which system would be best for your business by answering each of the above questions.
On–premise Software Set up
- A hefty setup cost is involved for deploying an on-premise software. These Set up costs may start from as high as $30,000 and can go up based upon requirement. This involves all the hardware, server and cost of creating a set up and resources.
- With on-premise deployment, upgrade or customization can be very expensive and deployment of these upgrades may take a while.
On-premise software requires constant maintenance. This can be costly and hard to manage.
Cloud deployment Set up
- There is no need to dish out a huge sum as set up costs as all the hardware and servers for running the software are hosted by the vendor. This makes MergerWare platform a more economical choice.
- MergerWare charges you per user. The charge per user is always lower. This is a more economical choice for most of customer.
- The customization and new releases of the software is easy and readily available. It can be deployed almost instantly. The cost incurred for such deployment is very minimal as compared to its counterpart.
You don’t have to worry about maintenance and the additional costs and hassle that come with it, as it is the responsibility of the MergerWare. This again makes MergerWare a more feasible choice.
Scalability
On-premise Set up
Scaling up an on-premise software is a very costly option. It involves cost of manpower, resources and ends up burning a huge budget. It might not be feasible to scale up the software to just add a user or two.
Cloud set up
You can scale up or down an MergerWare software based on your business requirement easily. Cloud based deployment gives you the freedom to select the plans based upon your requirement like upgrade to VDR space or users. Customers can choose a location of AWS server based on their choice to have full control on data security.
Geographically spread teams
On-premise Set up
It is very difficult and costly to build an on-premise set up for teams which spread across different geographical locations. Moreover, a lot of time is taken for any upgrades or customization to be deployed across every location. The data processed across different locations take time to be visible to others, which can lead to inefficient M&A management.
Cloud Set up
Cloud Set up can be easily used by different geographical teams. The data being generated across different locations are accessible to everyone in real time. This means that your Headquarters in Paris can instantly see a M&A deal report consolidated across different location and different teams.
Conclusion
Both the systems have their own pros and cons. However, the pros of a MergerWare Cloud deployment overweigh its counterpart – making it a more viable choice for a constantly growing M&A deal execution complexities and challenges with cross borders teams working across stream.
To manage your M&A deal executions from any part of the globe – try MergerWare